in Emarsys42

Mobile Engage - Contact Authentication from Mobile Devices

Updated: 12 de junio de 2018 14:04

In order to prevent your customers' personal data (US: PII) being stored in our cloud infrastructure, we require use of unique, non-guessable and immutable contact identifiers, instead of easily guessable identifiers like email addresses or phone numbers. Using PII data as the primary contact identifier for mobile devices is not supported.

If the user name is insecure (for example, if it is visible to other users, or other users could guess it), then it represents a security risk, as anyone could impersonate that user and receive personalized messages not meant for them.

We recommend that you use a new custom field containing both the hash of that username and a secret. This custom field should be generated on your server side.

You can use any immutable, non-sequential, non-guessable unique identifier. If you have one already used to uniquely identify customers internally, you could use that.

Or if you want to use email, then you can take the email, add a long string (secret) that lives solely in your server, and then use a hash function against that email, the secret long string that only you know.

You would need to create a new suite field in our field editor that includes a string value. You would need to import the hashed values of your clients into our DB; that will then serve as the unique identifier.

You do not need to store this hashed value in your back end, because when a user logs in with their password, they can use their email+secret at that time to create the hashed value, and then use that in the SDK login call to Mobile Engage's backend.

For performance purposes, we recommend you store this hash instead of calculating it on every login, but this remains an optional implementation for performance optimization.

Thanks to the universality of SHA-1, we can provide the following specific sample codes: